The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About jamesw
jamesw

jamesw

Getting noticed

Member since Oct 12, 2018

9 hours ago
Groups
  • API Early Access Group

    API Early Access Group

    598
View All
Kudos from
User Count
Alexs20
Alexs20
1
CN
Meraki Alumni (Retired) CN
1
PhilipDAth
Kind of a big deal PhilipDAth
1
CptnCrnch
Kind of a big deal CptnCrnch
1
View All
Kudos given to
User Count
alemabrahao
Kind of a big deal alemabrahao
1
AlexanderN
Meraki Employee AlexanderN
1
Rodrigo_
Meraki Employee Rodrigo_
1
Martin_Rowan
Martin_Rowan
1
View All

Community Record

40
Posts
4
Kudos
0
Solutions

Badges

5th Birthday
25 Posts
First 5 Posts
Lift-Off View All
Latest Contributions by jamesw
  • Topics jamesw has Participated In
  • Latest Contributions by jamesw

Sign on splash with Meraki Cloud Authentication option - user limit?

by jamesw in Wireless LAN
‎08-16-2023 02:26 AM
‎08-16-2023 02:26 AM
We need to authenticate many users via an external captive portal, but without RADIUS/LDAP etc, so using Meraki Cloud Authentication:       Is there a limit, on how many devices we can have authenticate against a pre-configured Meraki guest user (configured in Network > Users like so). We have enabled the "Allow simultaneous logins" option, but nowhere is a limit mentioned.           We don't need to know, nor care about the user's username (we've already validated them during the captive portal phase), we're merely using this pre-configured username/password in order to authenticate them at the end of the captive portal journey and get them online. The network could have upwards of 10,000 users per day using this username/password. (The user never knows about this user/pass, its all done from our server side via the login_url as part of the normal external captive portal flow).   We can't use the splash with "click through" as we're authenticating the user from the server side API call (once they hit our external captive portal etc), not from the users browser by way of redirects, and click through relies on the p_splash_session cookie which the external server does not have access to as it's set on the nxx.network-auth.com URL initially.   Thanks ... View more

Re: Org wide group policy for some clients

by jamesw in Developers & APIs
‎08-13-2023 02:00 AM
‎08-13-2023 02:00 AM
Thanks.   As per above then, is there a limit of clients? Meraki's group policy page says 3,000 for manually applied, however I've been able to add 70,000 without error... ... View more

Re: Org wide group policy for some clients

by jamesw in Developers & APIs
‎08-12-2023 04:06 PM
‎08-12-2023 04:06 PM
I don't follow.   1. You create a template and add all your networks to it. 2. You create a group policy inside the template. 3. You assign clients to the group policy.   As the group policy is mapped to the template, isn't any client added to the group policy mapped to all networks?   Are you saying that despite having a group policy at template level, you still have to go into each network separately and add a client to the group policy, for the same MAC? ... View more

Re: Org wide group policy for some clients

by jamesw in Developers & APIs
‎08-12-2023 03:58 PM
‎08-12-2023 03:58 PM
So if I apply all networks in the org to a template, and add the clients to a group policy defined on the template, the clients will get assigned the policy on ALL networks mapped to the template? ... View more

Re: Org wide group policy for some clients

by jamesw in Developers & APIs
‎08-12-2023 01:46 PM
‎08-12-2023 01:46 PM
Thanks @RaphaelL and @alemabrahao.   I thought as much.   I read the same about the 3,000 limit for group policies. I've tested, via API, adding tends of thousands of client MACs and it's accepted it just fine, so now not so sure:     If using network templates, can you do group policies within them?   Thanks ... View more

Org wide group policy for some clients

by jamesw in Developers & APIs
‎08-12-2023 09:33 AM
‎08-12-2023 09:33 AM
If you have 5000 networks, and you want to apply a custom group policy to some clients across your org, how can this be achieved without creating 5000 group policies (one per network) and mapping the client to each network's created group policy?   Basically, we are looking to assign some clients a particular policy across the estate.   Also, how many clients can be added to a group policy? We need potentially 100k+.   Thanks ... View more

Re: RADIUS accounting issue - Meraki only sending Start packets, not Interi...

by jamesw in Wireless LAN
‎05-22-2023 12:33 AM
‎05-22-2023 12:33 AM
Yeah, got a ticket open but their support not yet finding anything, even though it has to be 100% the Meraki RADIUS cloud as it is that which sends the RADIUS packets out (not the AP or from customer premise)   It's not the specific RADIUS proxy option, but when you enable splash page with RADIUS authentication, all RADIUS traffic comes from the Meraki cloud ... View more

RADIUS accounting issue - Meraki only sending Start packets, not Interim/St...

by jamesw in Wireless LAN
‎05-19-2023 01:36 PM
‎05-19-2023 01:36 PM
Since 12/13 April we've seen an issue across our customer estate (both In Europe and Americas) where the Meraki Cloud RADIUS client has stopped sending us Accounting Interim and Stop packets. We do get the Start packet, however. This is for captive portal authentications (not WPA2-Enterprise)   This causes a problem because the Interim and Stop packets are needed to read the attributes that include how long the session length was, and how much download/upload usage for the session etc.   The Start packet looks like:   User-Name = "abc123" NAS-IP-Address = 209.206.50.44 NAS-Port = 0 Service-Type = Login-User Framed-IP-Address = 10.3.8.112 Called-Station-Id = "E4-55-A8-AA-BB-CC:ssid" Calling-Station-Id = "A6-96-DA-AA-BB-CC" NAS-Identifier = "Meraki Cloud Controller RADIUS client" NAS-Port-Type = Wireless-802.11 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = "825284631727869728" Event-Timestamp = "May 19 2023 20:33:37 UTC" NAS-Port-Id = "Wireless-802.11" Meraki-Device-Name = "AP-Name-Here" Authenticator-Field = 0x8c8d2982acee4ebbc1bd4c877dab3776   Normally, once the Start packet occurs, Interim updates are sent every five minutes until such a time when the session ends, then a Stop packet is sent. We're not receiving these packets at all, across hundreds of different customers. We're performed a raw packet capture on our RADIUS server(s) and the packet doesn't even reach us, so the Meraki Cloud is not sending them.   Anyone else seeing this behaviour?   Thanks,   James ... View more

Re: Meraki MR33's flooding network with LLDP

by jamesw in Wireless LAN
‎08-14-2022 05:33 PM
‎08-14-2022 05:33 PM
Could it be going crazy if there is a PoE power issue from the connected switch, or is LLDP just broadcasting it's state? ... View more

Re: Meraki MR33's flooding network with LLDP

by jamesw in Wireless LAN
‎08-14-2022 04:38 PM
‎08-14-2022 04:38 PM
Thanks, but not seeing any other broadcast traffic being duplicated or similar. The Meraki's are on their own PoE switch, and if I disable the uplink port to our main switch the traffic instantly drops from 5MB/s to nothing (of course), but as soon as I enable the port again it goes mental.   Additionally, if I run the packet capture on the Meraki dashboard, selecting the AP's, this also shows the Meraki sending all of the LLDP broadcasts, so this is definitely coming from the AP itself. ... View more

Meraki MR33's flooding network with LLDP

by jamesw in Wireless LAN
‎08-14-2022 03:18 PM
‎08-14-2022 03:18 PM
I have three MR33's in an office and between them I'm seeing over 61,000 LLDP broadcasts in 40 seconds, all the same stuff. It's causing over 5MB/s on the switch ports they are connected to and because it's broadcast traffic this is going through all my switches/router. What are they doing? How can I disable LLDP on the AP's so they stop spamming?     Thanks! ... View more

Re: How to use both MAC based authentication *and* Click through/sign on at...

by jamesw in Wireless LAN
‎06-09-2021 01:38 AM
‎06-09-2021 01:38 AM
So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm... ... View more

Re: How to use both MAC based authentication *and* Click through/sign on at...

by jamesw in Wireless LAN
‎06-04-2021 12:48 AM
‎06-04-2021 12:48 AM
Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect.   I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-31-2021 10:56 AM
‎05-31-2021 10:56 AM
Interested to know more on what you use the "Called-Station-Id" for when using the proxy, and why the format can't be changed? 🙂   Thanks ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-27-2021 09:19 PM
‎05-27-2021 09:19 PM
I really don't understand this decision. Why introduce a feature to make it more flexible, then take it away? Is there a technical reason why Meraki can't allow a customised Called-Station-Id format? This means your systems do not match and have no parity.   This will mean customers are not able to use the proxy, because it still uses the BSSID as the Called-Station-Id which is not useful. In your previous reply, you state "The change from BSSID to MAC address does now align with the rest of the industry" - but not if using proxy 🤔 ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-27-2021 10:25 AM
‎05-27-2021 10:25 AM
What do you mean, you don't support it because you use it? 🙂   If a packet is being proxied from an AP, it should honour the same going through the proxy. If you can customise the NAS-ID when going through the proxy, what's the problem doing the same for Called-Station-Id?   This effectively means the proxy is useless as it can't be set to what it needs to be... ... View more

Re: Mac-based authentication with ISE / cloud RADIUS server and CoA

by jamesw in Wireless LAN
‎05-24-2021 02:01 PM
‎05-24-2021 02:01 PM
We could, but it goes against the reason we exists, because customers don't want to install/set up anything that they don't already have. So, we can generally work with any wireless kit just by running our captive portal and RADIUs in the cloud, at no cost or extra software/hardware installed on the customers site. ... View more

Re: Mac-based authentication with ISE / cloud RADIUS server and CoA

by jamesw in Wireless LAN
‎05-24-2021 01:24 PM
‎05-24-2021 01:24 PM
I see your point, but the problem is we are not a "customer" but a service provider. We don't own the kit, or install it, or have access to the setup on site. We provide a cloud captive portal/authentication/analytics service, so, it's not easy to ask our customers to configure site-so-site to us as we have thousands of Meraki customers around the globe using our solution and for now, we still can't support MAC authentication with captive portal bypass. ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-24-2021 01:21 PM
‎05-24-2021 01:21 PM
Hi Rodrigo   Correct, on the Access Control page. This is what I have set:   Association requirements: MAC-based access control  Splash page: None or Click-through   Scroll down to the RADIUS options and set:   RADIUS CoA support: Unchecked RADIUS proxy: Checked   You'll see when you enable the RADIUS proxy option, the new Called-Station-Id option disappears but the NAS-ID option is there!   Thanks ... View more

Re: Mac-based authentication with ISE / cloud RADIUS server and CoA

by jamesw in Wireless LAN
‎05-24-2021 01:15 PM
‎05-24-2021 01:15 PM
Thanks for the reply!   We're not using any kind of strange design, nowhere in the documentation does it mention or indicate that you must use a local, on-site based ISE server. Everything is moving off-site to the cloud, including the way Meraki has worked from day one - they are a cloud controller and RADIUS server, with just the AP's on site.   In reality, we're doing no different by hosting our RADIUS server in the cloud, it's just that there seems to be an expectation that an ISE server locally which isn't practical when you are a large service provider.   Therefore, I feel Meraki should make it possible to proxy this traffic/feature or at least some API service so that we can send the CoA to the Meraki cloud, which can then send the signal direct to the relevant AP, without any firewall/port forward mess.   The problem actually arises because Meraki are the only vendor I know that do not support MAC authentication with proper captive portal bypass. They do not allow you to select both MAC-based access control along with splash sign on via RADIUS server. So, their recommendation is to use the ISE option, which, in its current state, is one step forward and two steps back 🙂   ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-24-2021 12:02 PM
‎05-24-2021 12:02 PM
Thanks Rodrigo!   This is also a similar query - wondering if you might be able to answer?   https://community.meraki.com/t5/Wireless-LAN/Mac-based-authentication-with-ISE-cloud-RADIUS-server-and-CoA/m-p/119165#M17008   Thanks   James ... View more

Mac-based authentication with ISE / cloud RADIUS server and CoA

by jamesw in Wireless LAN
‎05-24-2021 02:01 AM
‎05-24-2021 02:01 AM
We're testing out the following:   Association requirements: MAC-based access control  Splash page: Cisco Identity Services Engine (ISE) Authentication   We run a cloud RADIUS server which acts as the ISE in terms of the RADIUS handling.   So the flow currently works like this:   Client associates to SSID Local AP sends Access-Request to configured RADIUS cloud server IP Our RADIUS replies with an Access-Accept and a Cisco-AVPair redirect url Client is redirected to our splash page URL and registers etc   All good up until this point, but the problem is that to get the user online, we have to send a CoA request back to the local AP from our cloud RADIUS. Whilst we can open the firewall and perform a port forward to the AP, this only works if there is a single AP. More than one AP, and the solution falls over because you can't externally access all the different AP's using a single port forward.   Why can't Meraki allow the RADIUS proxy option to work with this setup? For true captive portal authentications we can send a CoA back to the Meraki cloud which in turn authenticates the user on the local AP. But for ISE, it disables the RADIUS proxy option.    Not everyone runs a local RADIUS server!   Does anyone know an alternative way of achieving MAC authentication AND external captive portal fall-back?   Thanks   J   ... View more

Re: How to use both MAC based authentication *and* Click through/sign on at...

by jamesw in Wireless LAN
‎05-24-2021 12:46 AM
1 Kudo
‎05-24-2021 12:46 AM
1 Kudo
Thanks, can you elaborate any further?   Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected?   It seems a strange way of doing it... ... View more

Re: MR 28 Private Beta Sign Up

by jamesw in Wireless LAN
‎05-21-2021 03:27 PM
‎05-21-2021 03:27 PM
Something I noticed... when you enable the RADIUS proxy option, the setting for the Called-Station-Id format disappears, but the NAS-ID format option is there.. this seems a little odd and I don't understand why you still can't set both?   Without proxy:         With proxy:       Bug, or something else?   Thanks   J ... View more

How to use both MAC based authentication *and* Click through/sign on at the...

by jamesw in Wireless LAN
‎05-21-2021 07:24 AM
‎05-21-2021 07:24 AM
In the UI, you can select:   Association: MAC-based access control Splash page: Click through   It accepts this and all is okay (I know you can't use sign on with RADIUS and MAC-based access control together)   However, how does this work in practice?   I would expect, that is the RADIUS server replies with an Access-Reject, the end user will then be redirected to the configured click through  splash URL, and if Access-Accept, the end user will be straight online without any splash authentication required.   But, it seems to not work like this. If you do Access-Reject, it doesn't allow the device even to associate. If you do Access-Accept, the user is connected with no click through splash redirect and has full Internet. So, how do you actually get it to redirect someone to the splash page?   Thanks   J ... View more
Kudos from
User Count
Alexs20
Alexs20
1
CN
Meraki Alumni (Retired) CN
1
PhilipDAth
Kind of a big deal PhilipDAth
1
CptnCrnch
Kind of a big deal CptnCrnch
1
View All
Kudos given to
User Count
alemabrahao
Kind of a big deal alemabrahao
1
AlexanderN
Meraki Employee AlexanderN
1
Rodrigo_
Meraki Employee Rodrigo_
1
Martin_Rowan
Martin_Rowan
1
View All
My Top Kudoed Posts
Subject Kudos Views

Re: Definitive list of BSSID's / calculation for all Meraki OIU's?

Wireless LAN
2 3370

Re: How to use both MAC based authentication *and* Click through/sign on at...

Wireless LAN
1 1246

Re: MR 28 Private Beta Sign Up

Wireless LAN
1 11977
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Cookies
  • Terms of Use
© 2023 Meraki